Emergency Windows patch stops Flame malware from spoofing Microsoft security certificate

Microsoft issued a security advisory and emergency patch on Sunday after discovering Flame malware components were signed by a spoofed 'trusted' Microsoft digital certificate.

Microsoft released an emergency Windows update last night after discovering that components of the cyber-espionage Flame malware could trick customers by spoofing one of Microsoft's trusted digital signatures. The security advisory states, "Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows."

Most customers are not at risk of such a highly targeted attack, but issuing the security advisory was Microsoft's first step to protect customers. The second step was to release a patch that blocks the spoofed Microsoft certificate. Lastly, Microsoft's Terminal Server Licensing Service will no longer issue digital certificates that allow code to be signed; this should take away attackers' ability to use Microsoft to spread Flame.

RELATED: Microsoft recalls certificates exploited by Flame malware

MORE: Flame Malware Blurs the Line Between Fiction and Reality

Microsoft Security Response Center Senior Director Mike Reavey wrote on the MSRC blog:

We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

The emergency Windows update is the latest revelation when it comes to the sophisticated Flame malware which has held the cybersecurity world mesmorized since its discovery. On the heels of finding Flame, a report came out which confirmed that America and Israel created Stuxnet. After 18 months of interviewing intelligence officials, David Sanger of the New York Times revealed that the George W. Bush administration authorized the cyber weapon program codenamed Olympic Games; President Obama continued it and increased cyberattacks on Iran.

Officials claim the Flame cyber weapon was not part of Olympic Games. ABC News attempted to find out if the USA created Flame, but the NSA, CIA, DOD and State Department "either declined to comment or referred ABC News to the Department of Homeland Security. The DHS said in a statement it was analyzing Flame to determine its impact on the U.S. but refused to comment on whether the U.S. had a hand in its creation."

As research, revelation and speculation continue, Microsoft concluded the following connection to the 20MB Flame malware:

Components of the Flame malware were signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. This code-signing certificate came by way of the Terminal Server Licensing Service that we operate to issue certificates to customers for ancillary PKI-based functions in their enterprise. Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft.

As is implied by Microsoft releasing the emergency Windows update on Sunday, please update immediately.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline